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Amendments to the Claims : 
This listing of claims replaces all prior versions and listings of claims in the application: 

Listing of Claims : 

1 . (Currently Amended) A monitoring device disposed for thwarting denial of service 
attacks on a data center, the monitoring device comprising: 

a device , coupled to physical links between the data center a network, with the device 
disposed to examine traffic entering or leaving that data center on the coupled physical links and 
that collects statistical information on packets that are sent between a the network and the data 
center over the coupled physical links for a plurality of customers by examining traffic as if the 
device was disposed on links that are downstream from the coupled links that the provisioned 
monitor is coupled to diopos e d on . 

2. (Original) The monitoring device of claim 1 wherein the monitoring device is coupled 
to a control center through a dedicated, private network. 

3. (Original) The monitoring device of claim 2 wherein the device further comprises: 

a communication process that communicates statistics with the control center, and which 
receives queries or instructions from the control center. 

4. (Original) The monitoring device of claim 1 wherein the monitoring device is a 
gateway device and further comprises: 

a process to install filters to thwart denial of service attacks by removing network traffic 
that is deemed part of an attack. 
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5. (Original) The monitoring device of claim 1 wherein the monitoring device is a data 
collector device. 

6. (Original) The monitoring device of claim 4 wherein the gateway comprises: 

a process to aggregate traffic from the various links and to produce logs and detection 
heuristics. 

7. (Currently Amended) A method of thwarting denial of service attacks on a victim data 
center coupled to a network comprises: 

collectin g, using a provisioned monitor statistical information on packets that are sent 
between a network and a plurality of customers of the data center by examining traffic on 
selected links in the data center as if the collecting were being performed d e vic e was dispos e d on 
links that are downstream from the selected links that the provisioned monitor is disposed on; 
and 

communicating data, over a dedicated network, to a control center. 

8. (Original) The monitoring device of claim 7 wherein the device is a gateway device, 
which further comprises: 

installing filters to thwart denial of service attacks by removing network traffic that is 
deemed part of an attack. 

9. (Original) The monitoring device of claim 7 wherein the monitoring device is a data 
collector device. 

10. (Original) The monitoring device of claim 7 wherein collecting occurs for inbound 
and/or outbound traffic. 
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11. (Currently Amended) An arrangement disposed to monitor a link between a data 
center and a network for thwarting denial of service attacks on the data center, the arrangement 
comprising: 

a provisioned monito r, placed on selected links in the data center so that the provisioned 
examines traffic entering or leaving that data center on the selected links and that collects 
statistical information for a plurality of provisioned customers, which are on links that are 
downstream from the selected links that the provisioned monitor is disposed on, the provisioned 
monitor maintaining separate counter logs for each provisioned customer; and 

a global counter log that accounts for all traffic seen on the link that the provisioned 
montior monitor is coupled to. 

12. (Currently Amended) The arrangement bf claim 1 1 wherein the provisioned monitor 
is a gateway[[s]] that maintains separate packet logs for each virtual monitor. 

13. (Currently Amended) The arrangement of claim 44* 1_2 wherein the gateway maintains 
a global packet log for all traffic. 

14. (Currently Amended) The arrangement of claim 44- 13 wherein the global packet log 
includes a sample of all traffic seen on the link to which the gateway is connected. 

15. (Currently Amended) The arrangement of claim 14 wherein packet analysis for a 
particular virtual monitor happens by classifying packets based on addresses at the time of the 
analysis. 

16. (Currently Amended) The arrangement of claim 44- 13 wherein the gateway maintains 
duplicate packets, keeping both a global packet log and eae a packet log for each virtual monitor. 

17. (Currently Amended) The arrangement of claim 44- 12 wherein the gateway is a 
clustered gateway and includes a plurality of probes and a cluster head, with the cluster head 
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having a process to aggregate traffic from the probes and to produce separate counter logs for 
each provisioned customer; and a global counter log, and produce detection heuristics. 

18. (Currently Amended) The arrangement of claim 1 1 wherein the provisioned monitor 
including a virtual monitor for on e for the physical link on which the provisioned monitor is 
deployed is configured to be an independent node in the network capable of issuing attack 
warnings and responses to attack queries independently from other virtual monitors of the 
provisioned monitor. 

19. (Currently Amended) The arrangement of claim 44- 18 wherein the provisioned 
monitor including all of the provisioned monitor's virtual monitors act as one node in the 
distributed network. 

20. (Currently Amended) The arrangement of claim 19 wherein the provisioned monitor 
acts as an intermediary between virtual monitors and the rest of the network and includes a 
process to maintain communications with the control center and to reply to attack queries. 

21. (Currently Amended) The arrangement of claim 18 wherein the provisioned 
monitor's virtual monitors have filters installed on a per virtual monitor basis. 

22. (Currently Amended) The arrangement of claim 20 18 wherein when a virtual 
monitor detects an attack on a provisioned customer, information is conveyed both to the control 
center and to the a hosting provider's management interface. 

23. (Currently Amended) The arrangement of claim 22 wherein the control center is 
adapted to distinguish an attack on a single provisioned customer [[(]] associated with a virtual 
monitor[[)]] and an attack on the link(s) on which the monitor is physically deployed. 
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24. (Currently Amended) A method of thwarting donial of oorvico attacks on a victim 
data center coupled to a network comprises: 

collecting statistical information for a plurality of provisioned customers on links that are 
downstream from links on which collecting occurs; and 

maintaining separate counter logs for each provisioned customer; and a global counter 
log that accounts for all traffic seen on the links on which collecting occurs. 

25. (Original) The method of claim 24 wherein collecting occurs on a gateway that passes 
network packets, the gateway being disposed at an edge of the network. 

27. (Original) The method of claim 24 wherein collecting occurs on a data collector that 
samples network packets, the data collector being disposed at a location that is at a large 
aggregation link in the network for the data center. 

28. (Original) The method of claim 24 further comprising: 

performing, by the provisioned gateway, intelligent traffic analysis and filtering to 
identify the malicious traffic and to eliminate the malicious traffic. 

29. (Currently Amended) A method of thwarting denial of s e rvic e attacks on a victim 
data center coupled to a network comprises: 

collecting statistical information for a plurality of links that are downstream from links on 
which collecting occurs; 

performing traffic analysis on the collected statistical information on a per downstream 
link basis to identify malicious traffic; and 

communicating alerts that arise from the traffic analysis. 



30. (Original) The method of claim 28 wherein performing analysis occurs on statistical 
information collected for an individual one of the downstream links to identify malicious traffic 
intended for the individual one of the downstream links. 
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31. (Original) The method of claim 28 wherein communicating to a control center occurs 
on a downstream link basis. 

32. (Original) The method of claim 28 wherein communicating occurs on a downstream 
link basis to a control center that determines a response to the attack. 

33. (Original) The method of claim 28 wherein communicating occurs on a downstream 
link basis over a dedicated, hardened network to a control center that determines a response to 
the attack. 

34. (Original) The method of claim 28 further comprising: 

filtering the identified malicious traffic and to eliminate the malicious traffic from 
reaching the one of the downstream links. 



